Carbon, Turla’s Latest Version of Malware Under Microscope

Over the past decade, the cyberattackers behind Turla have shown quite a broad arsenal of tools – all of them focused on acquiring data from selected high profile institutions in Europe and USA. Today, ESET researchers released their discoveries in an in-depth analysis of the innovations found in the latest versions of Turla’s second stage backdoor, dubbed Carbon.

Known to change their tools once exposed, Turla group keeps its malware in constant development, changing mutexes and file names between each version. This is valid for Carbon as well – in the three years since its development, ESET researchers have been able to confirm eight active versions thus far. Notorious for its painstaking efforts and its work in stages, Turla group first performs reconnaissance on their victim’s systems before deploying their most sophisticated tools such as Carbon.

A classic Carbon compromise chain starts with a user receiving a spear phishing email or visiting a previously compromised website, typically one that the user visits regularly — a technique known as a watering hole attack. After a successful attack, a first stage backdoor — such as Tavdig or Skipper — is installed on the victim’s machine. Once the reconnaissance phase is over, a second stage backdoor, like Carbon, is installed on key systems.

The architecture of Carbon consists of a dropper that installs the Carbon components and its configuration file, a component that communicates with Command and Control servers (C&C), and an orchestrator that handles tasks, dispatches them to other computers on the network and injects them into a legitimate process -the DLL- that communicates with the C&C and a loader that executes the orchestrator.

“Carbon shares some similarities with other Turla’s tool – rootkit Uroburos. The most relevant resemblance being the communication framework. The communication objects are implemented in the same way, the structures and virtual tables look identical except that there are fewer communication channels in Carbon,” explains the paper. “Carbon might be the “lite” version of Uroburos without kernel components and exploits.”

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.